So for a long time I had a spare Vax (MicroVAX III if you're wondering) hooked up to a modem on an unused phone line (yes it answered as KREMVAX), and when sufficient internet bandwidth came along put it on the Internet to watch people "hack" it. It was fun because they would get all confused when their x86 exploit code wasn't even a thing :-).
But your comment reminded me that if I ran a virtual VAX and then a virtual Windows on top of that and a browser in the windows, breaking out of the 'guest' into VMS would really challenge the bad guys tool box in terms of zero days :-) Fun to contemplate on a Friday afternoon.
That only applied to Xen's paravirtualization mode (runnning a modified guest OS as an unprivileged process), not the hardware-assisted virtualization.
Repeat as many times as necessary based on your paranoia levels. Inception.